[Security solution] EASE Value Report #228877
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stephmilovic
added
release_note:enhancement
Team: SecuritySolution
stephmilovic
added
the
ci:project-deploy-ai4soc
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsESLint disabled line counts
miscellaneous assets size
Total ESLint disabled count
History
|
szaffarano
pushed a commit
to szaffarano/kibana
that referenced
this pull request
Aug 5, 2025
kibanamachine
added
the
backport missing
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
Aug 5, 2025
stephmilovic
added
backport:skip
nickofthyme
reviewed
Aug 10, 2025
...ublic/common/components/visualization_actions/lens_attributes/ai/cost_savings_metric.test.ts
Show resolved
Hide resolved
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
denar50
added a commit
that referenced
this pull request
Dec 2, 2025
## Summary Issue: elastic/security-team#14504 [A previous PR](#228877) introduced the EASE Value report and the ability to export it in serverless. This PR makes the report available in ESS and adds logic to export it using the share plugin. The ESS export logic is different from that of serverless because schedule reporting is not available in Serverless yet (ResponseOps [plans](elastic/kibana-team#1847) to add support for it in 9.4). The reporting is initiated in the client's browser when the user clicks on the "Export report" button, which becomes available once the report data and the cost savings trend insight have been fetched and generated respectively. The export report button makes a call to the server to generate a PDF for the report and passes the insight and a hash of the report data as parameters (aka "forwarded state"). A headless browser is used to navigate to a special route `/app/reportingRedirect` that looks up a the corresponding locator locator (in this case, `AIValueReportLocatorDefinition`) which in turns resolves the URL of the value report (`/app/security/reports/ai_value`) _and_ the forwarded state to be stored in `history.location.state`. The value report page reacts to this state being present and renders itself in "export mode". When the components finish loading, the headless browser takes screenshots of everything that is contained within the value report page, which has a `data-shared-items-container` attribute attached to it. Notice that we only forward the insight and the hash of the report data in order to avoid calling an LLM again in the headless browser when the data itself hasn't changed. <img width="2766" height="948" alt="image" src="https://github.com/user-attachments/assets/01fbac58-1450-42e0-a16d-c456e9137878" /> ## How to test 1. Run ESS locally (Elasticsearch and Kibana). Then log in as an admin and navigate to the rules management page (`app/security/rules/management`) to ensure that all indexes are properly initialized. 2. Use the [Security documents generator](https://github.com/enriquesanchez-elastic/security-documents-generator) (fork) to generate 60 days of alert data. By running: `yarn start generate-alerts -n 10000 -h 100 -u 100 --start-date 60d --end-date now` 3. Run Attack Discovery over the 60 days of data that you generated (see the video below) https://github.com/user-attachments/assets/85cdefe8-2fc0-4a9c-ab7c-051ca7188b6f 4. Navigate to the "Value report" page. You can use the link on the left side, or you can go to `/app/security/reports/ai_value`. 5. Once the report loads, the "Export report" button should be enabled. Click on it and export it to a PDF. You should see a toast indicating that the export in ongoing and when it is done you should get a toast with a "Download report" button. Click on "Download report" and verify that the downloaded PDF matches the data that you are seeing on the screen. Play with it by adjusting the time window in the date picker next to the Export report button. https://github.com/user-attachments/assets/e1aea0ad-4b74-4ee3-b329-43181d479328 ## Known issues 1. The icons next to these headings are clearer in the PDF and therefore hard to see PDF <img width="2856" height="254" alt="image" src="https://github.com/user-attachments/assets/849b465b-2efd-4f5d-a907-e5570639e2bd" /> Website <img width="1814" height="166" alt="image" src="https://github.com/user-attachments/assets/9de8da9d-4779-4495-8477-3803d0a3e8e4" /> ## Pending 1. Copy adjustments to the value report button 2. Placement of the value report button in the launchpad 3. Update the documentation on the restricted access view. See elastic/docs-content#3817 4. Follow the instructions after updating the Elastic Assistant prompt. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Dec 2, 2025
## Summary Issue: elastic/security-team#14504 [A previous PR](elastic#228877) introduced the EASE Value report and the ability to export it in serverless. This PR makes the report available in ESS and adds logic to export it using the share plugin. The ESS export logic is different from that of serverless because schedule reporting is not available in Serverless yet (ResponseOps [plans](elastic/kibana-team#1847) to add support for it in 9.4). The reporting is initiated in the client's browser when the user clicks on the "Export report" button, which becomes available once the report data and the cost savings trend insight have been fetched and generated respectively. The export report button makes a call to the server to generate a PDF for the report and passes the insight and a hash of the report data as parameters (aka "forwarded state"). A headless browser is used to navigate to a special route `/app/reportingRedirect` that looks up a the corresponding locator locator (in this case, `AIValueReportLocatorDefinition`) which in turns resolves the URL of the value report (`/app/security/reports/ai_value`) _and_ the forwarded state to be stored in `history.location.state`. The value report page reacts to this state being present and renders itself in "export mode". When the components finish loading, the headless browser takes screenshots of everything that is contained within the value report page, which has a `data-shared-items-container` attribute attached to it. Notice that we only forward the insight and the hash of the report data in order to avoid calling an LLM again in the headless browser when the data itself hasn't changed. <img width="2766" height="948" alt="image" src="https://github.com/user-attachments/assets/01fbac58-1450-42e0-a16d-c456e9137878" /> ## How to test 1. Run ESS locally (Elasticsearch and Kibana). Then log in as an admin and navigate to the rules management page (`app/security/rules/management`) to ensure that all indexes are properly initialized. 2. Use the [Security documents generator](https://github.com/enriquesanchez-elastic/security-documents-generator) (fork) to generate 60 days of alert data. By running: `yarn start generate-alerts -n 10000 -h 100 -u 100 --start-date 60d --end-date now` 3. Run Attack Discovery over the 60 days of data that you generated (see the video below) https://github.com/user-attachments/assets/85cdefe8-2fc0-4a9c-ab7c-051ca7188b6f 4. Navigate to the "Value report" page. You can use the link on the left side, or you can go to `/app/security/reports/ai_value`. 5. Once the report loads, the "Export report" button should be enabled. Click on it and export it to a PDF. You should see a toast indicating that the export in ongoing and when it is done you should get a toast with a "Download report" button. Click on "Download report" and verify that the downloaded PDF matches the data that you are seeing on the screen. Play with it by adjusting the time window in the date picker next to the Export report button. https://github.com/user-attachments/assets/e1aea0ad-4b74-4ee3-b329-43181d479328 ## Known issues 1. The icons next to these headings are clearer in the PDF and therefore hard to see PDF <img width="2856" height="254" alt="image" src="https://github.com/user-attachments/assets/849b465b-2efd-4f5d-a907-e5570639e2bd" /> Website <img width="1814" height="166" alt="image" src="https://github.com/user-attachments/assets/9de8da9d-4779-4495-8477-3803d0a3e8e4" /> ## Pending 1. Copy adjustments to the value report button 2. Placement of the value report button in the launchpad 3. Update the documentation on the restricted access view. See elastic/docs-content#3817 4. Follow the instructions after updating the Elastic Assistant prompt. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
JordanSh
pushed a commit
to JordanSh/kibana
that referenced
this pull request
Dec 9, 2025
## Summary Issue: elastic/security-team#14504 [A previous PR](elastic#228877) introduced the EASE Value report and the ability to export it in serverless. This PR makes the report available in ESS and adds logic to export it using the share plugin. The ESS export logic is different from that of serverless because schedule reporting is not available in Serverless yet (ResponseOps [plans](elastic/kibana-team#1847) to add support for it in 9.4). The reporting is initiated in the client's browser when the user clicks on the "Export report" button, which becomes available once the report data and the cost savings trend insight have been fetched and generated respectively. The export report button makes a call to the server to generate a PDF for the report and passes the insight and a hash of the report data as parameters (aka "forwarded state"). A headless browser is used to navigate to a special route `/app/reportingRedirect` that looks up a the corresponding locator locator (in this case, `AIValueReportLocatorDefinition`) which in turns resolves the URL of the value report (`/app/security/reports/ai_value`) _and_ the forwarded state to be stored in `history.location.state`. The value report page reacts to this state being present and renders itself in "export mode". When the components finish loading, the headless browser takes screenshots of everything that is contained within the value report page, which has a `data-shared-items-container` attribute attached to it. Notice that we only forward the insight and the hash of the report data in order to avoid calling an LLM again in the headless browser when the data itself hasn't changed. <img width="2766" height="948" alt="image" src="https://github.com/user-attachments/assets/01fbac58-1450-42e0-a16d-c456e9137878" /> ## How to test 1. Run ESS locally (Elasticsearch and Kibana). Then log in as an admin and navigate to the rules management page (`app/security/rules/management`) to ensure that all indexes are properly initialized. 2. Use the [Security documents generator](https://github.com/enriquesanchez-elastic/security-documents-generator) (fork) to generate 60 days of alert data. By running: `yarn start generate-alerts -n 10000 -h 100 -u 100 --start-date 60d --end-date now` 3. Run Attack Discovery over the 60 days of data that you generated (see the video below) https://github.com/user-attachments/assets/85cdefe8-2fc0-4a9c-ab7c-051ca7188b6f 4. Navigate to the "Value report" page. You can use the link on the left side, or you can go to `/app/security/reports/ai_value`. 5. Once the report loads, the "Export report" button should be enabled. Click on it and export it to a PDF. You should see a toast indicating that the export in ongoing and when it is done you should get a toast with a "Download report" button. Click on "Download report" and verify that the downloaded PDF matches the data that you are seeing on the screen. Play with it by adjusting the time window in the date picker next to the Export report button. https://github.com/user-attachments/assets/e1aea0ad-4b74-4ee3-b329-43181d479328 ## Known issues 1. The icons next to these headings are clearer in the PDF and therefore hard to see PDF <img width="2856" height="254" alt="image" src="https://github.com/user-attachments/assets/849b465b-2efd-4f5d-a907-e5570639e2bd" /> Website <img width="1814" height="166" alt="image" src="https://github.com/user-attachments/assets/9de8da9d-4779-4495-8477-3803d0a3e8e4" /> ## Pending 1. Copy adjustments to the value report button 2. Placement of the value report button in the launchpad 3. Update the documentation on the restricted access view. See elastic/docs-content#3817 4. Follow the instructions after updating the Elastic Assistant prompt. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements new EASE Value report.
To test
Command to generate alerts: